cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Write Virus Samples to Files tweak

Jump to solution

Good day,

We are currently using the Write Virus Samples to Files" rule but i have a question. In my environment, we have servers that are sending small eicar files to verify that the ICAP service is running on our MWGs. When i enable the rule, it fills the log up pretty quick. I was wondering how i might be able to tweak the rule to where it will not generate a file for eicar files? 

1 Solution

Accepted Solutions
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Write Virus Samples to Files tweak

Jump to solution

Hello,

there are different ways of achieving this. First probably makes most sense and second one only if server would send requests to websites rather than sending files.

1) Default rule has 2 criteria: Client IP is in range list AND Antimalware.Infected equals true.
This could be modified to Client IP is not in range list/is not in list AND antimalware.infected equals true. Then enter server IP in list.
If now clients/users run through this, it is true as their IP is not in list and if sample gets true then rule is normally executed. If server IP runs through, first criteria is False as this IP is indeed in the list and rule will not be executed.

2) This only would work, if server sends requests to eicar site:
Depending on how you have configured this at the moment, you could simply add another criteria:
AND URL.Host does not match *eicar.com*
So if requests come in, your pre-defined rules are matching (whatever you have configured) and then URL host is checked and google.com for example would match as it does not match eicar.com and is true and if a request comes in on eicar, it would result in False and therefore rule would not trigger.

At the end, you can play around with Client.IP property which I think is the fastest and easiest way.
Let me know if you have further questions.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

3 Replies
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Write Virus Samples to Files tweak

Jump to solution

Hello,

there are different ways of achieving this. First probably makes most sense and second one only if server would send requests to websites rather than sending files.

1) Default rule has 2 criteria: Client IP is in range list AND Antimalware.Infected equals true.
This could be modified to Client IP is not in range list/is not in list AND antimalware.infected equals true. Then enter server IP in list.
If now clients/users run through this, it is true as their IP is not in list and if sample gets true then rule is normally executed. If server IP runs through, first criteria is False as this IP is indeed in the list and rule will not be executed.

2) This only would work, if server sends requests to eicar site:
Depending on how you have configured this at the moment, you could simply add another criteria:
AND URL.Host does not match *eicar.com*
So if requests come in, your pre-defined rules are matching (whatever you have configured) and then URL host is checked and google.com for example would match as it does not match eicar.com and is true and if a request comes in on eicar, it would result in False and therefore rule would not trigger.

At the end, you can play around with Client.IP property which I think is the fastest and easiest way.
Let me know if you have further questions.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

smasnizk
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Write Virus Samples to Files tweak

Jump to solution

Dear @mikeyland1981 

 

this rule Set have Rule "Anti-Malware: Quarantine IP Range" to limit logging to a specific Client IP. This rule is not fix and can be changed to your needs. You can add vor example "URL.Host" or "Body.FileName" criteria to exclude your EICAR test. What ever works for you.

 

For Example: 

Rule Name: "Anti-Malware: Quarantine IP Range"

Criteria:

1: ClientIP is in range <xyz> AND

2: Body.FileName dose not matches "eichar.txt" AND

3: Antimalware.Infected eq true AND

 

P.S.: noticed my replay overlaps with previous replay from my colleague. Just use what is more suitable for you.

Best Regards,
Sergej


If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Write Virus Samples to Files tweak

Jump to solution

Most individuals and business holders ignore the need for data security. They, unintentionally, expose their data to
threats, malware, identity thefts, XSS attacks, and more. Thus, they lose all their precious data in seconds. McAfee
provides a layer of protection to your Mobiles, PC, and Mac devices. It keeps away all malicious entities that are trying
to reach your data, thereby, giving you a secure smart device usage. Since its establishment in 1987, it has held the hand
of its customers tight, giving credible products to fight against cyber threats. Get your Mac, Mobile, and PC devices
protected with cybercrime now! Download and install McAfee at
Mcafee activate product key.
McAfee provides an easy and compatible way to safeguard devices and data. This cyber-security software helps users in
removing annoying viruses, malware, trojans, and spyware from the device. It also restricts malicious sites to get into
the system.McAfee is known for its reliable, smart device and web security services. Potential users can easily reach the
site using the link Download mcafee with product key.
McAfee can be used on any compatible device to safeguard the device's internal system and private and important data from
viruses, malware, and spyware. To get started with McAfee, utilize the link www.mcafee.com/activate and login to your
registered account credentials. If it comes to activation, follow the activation guidelines at
Mcafee activate enter product key.
Digital security is one of the most critical things in the modern world. Hackers and spammers are continually keeping a
vicious eye on your sensitive data that can be used to threaten the safety and security of your personal and professional
life. To avoid any unauthorized access to your system and unwanted use of your data, you should make every possible effort
to keep your system secured, and McAfee Antivirus is the best solution for that. You can get this reliable antivirus by
visiting Install mcafee with product key, and it will start
protecting your device against viruses, malware, phishing, and every possible digital element that can threaten the safety
and functioning of your system. McAfee Antivirus is compatible with all the leading operating systems, including Windows,
macOS, Linux, and Android. For more information, please visit
Download McAfee with Activation Code.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community